eXtrapola
Log inRequest demo

Privacy Policy

PRIVACY NOTICE FOR WEBSITE USERS

In accordance with applicable personal data protection laws (the “Privacy Law”), including EU Regulation 2016/679 (the “GDPR”), as well as Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 (the “Privacy Code”), EXTRAPOLA S.R.L., VIA TORCONCA 17/G-19, 47842 SAN GIOVANNI IN MARIGNANO, VAT no. 02681950404 – tax code 02681950404 (the “Controller”), acting as data controller, informs users (hereinafter the “Users” or, singularly, the “User”) of the website www.extrapola.com (the “Website”) that it will process personal data collected through the Website in the manner and for the purposes described in this notice (the “Notice”).

By browsing the Website, the User acknowledges having read and understood the content of this Notice.

1) Data Controller

The data controller is EXTRAPOLA S.R.L., with registered office at VIA TORCONCA 17/G-19, 47842 SAN GIOVANNI IN MARIGNANO, VAT no. 02681950404 – tax code 02681950404, reachable at +39 0541 1837821 or at the following e-mail address: privacy@extrapola.com.

2) Types of data processed through the Website

The Controller will process only the following categories of personal data of Users who browse and interact with the Website’s web services, in particular:

  1. Data implicitly collected while a User browses the Website

    The IT systems, cookie technology and software procedures used for the operation of the Website acquire, during their normal operation, certain data whose transmission is implicit in the use of the Internet. This information is not collected to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow Users to be identified.

    This category of data includes, for example, IP addresses or domain names of the computers used by Users connecting to the Website, pages visited by Users within the Website, domain names and addresses of Internet sites from which the User accessed the Website (via referral), the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the web server, the size of the file obtained in response, the numerical code indicating the status of the response sent by the web server, and other parameters relating to the browser type (e.g. Internet Explorer, Google Chrome, Firefox), operating system (e.g. Windows) and the User’s IT environment.

    Such data are also collected through cookie technology, namely text and number files installed during browsing on a website, in the memory of the device (PC, smartphone or tablet) connected to the Internet through the browser application installed thereon. For further information on cookies used on the Website, Users are invited to consult the Cookie Notice available at the following link: https://www.iubenda.com/privacy-policy/12996335.

  2. Personal data provided directly by the User in communications with the Controller

    This refers to data provided to the Controller directly by the User (such as, by way of example and not limitation: first name, last name, e-mail address, personal data of the sender possibly contained in e-mail communications or attachments thereto, etc.) following the sending of an e-mail or other communications to the Controller’s contacts indicated on the Website, as well as following subscription to the newsletter service and/or to specific sector mailing lists.

3) Purposes and legal bases of processing

The personal data provided (implicitly or directly) by the User will be processed for the following purposes (“Purposes”):

  1. to comply with the accounting and tax obligations to which the Controller is subject.

    In this case, the legal basis of processing is the legal obligation to which the Controller is subject pursuant to Article 6(1)(c) of the GDPR;

  2. to allow Users to browse the Website.

    In this case, the legal basis of processing is the legitimate interest of the Controller, pursuant to Article 6(1)(f) of the GDPR, to: (i) inform the User, through the content of the Website, and make them aware of the Controller’s professional profile, activities carried out, services offered and publications; (ii) improve the quality and structure of the Website, as well as create new services, functionalities and/or features thereof; (iii) interact with Users interested in the Controller’s services, through the contact details published on the Website;

  3. to carry out maintenance and technical support necessary to ensure the proper functioning of the Website and the services connected to it.

    In this case, the legal basis of processing is the legitimate interest of the Controller, pursuant to Article 6(1)(f) of the GDPR, to: (i) prevent fraud or other crimes through the use of the Website; (ii) improve the quality and structure of the Website, as well as create new services, functionalities and/or features thereof; (iii) manage and process statistical surveys (after anonymisation of the data) on the use of the Website;

  4. to allow the Controller to exercise its rights in court and suppress unlawful conduct.

    In this case, the legal basis of processing is the legitimate interest of the Controller, pursuant to Article 6(1)(f) of the GDPR, to: (i) prevent fraud or other crimes through the use of the Website; (ii) manage litigation of the Controller or of a third party in court;

  5. to allow the sending to the User, following completion of the newsletter registration form of the Controller and/or sector mailing lists, of communications by e-mail of a purely informational and educational nature regarding the Controller’s activities and professional services, as well as regarding any invitations to events and/or conferences organised and/or sponsored by the Controller, also in collaboration with third parties, or in which the Controller’s professionals take part as speakers.

    In this case, the legal basis of processing is the performance of pre-contractual and contractual measures adopted at the User’s request pursuant to Article 6(1)(b) of the GDPR, as well as the legitimate interest of the Controller in providing ongoing updates regarding relevant developments in the sector of interest of its customers or prospective customers pursuant to Article 6(1)(f) of the GDPR;

  6. to allow the sending to the User of e-mail communications regarding activities, initiatives and/or services proposed by the Controller for marketing purposes and/or other advertising or promotional material, different from the purely informational and educational material referred to in letter e) above.

    In this case, the legal basis of processing is the data subject’s consent pursuant to Article 6(1)(a) of the GDPR.

Where the legal basis of processing is the legitimate interest of the Controller, the Controller confirms that it has carried out a prior assessment aimed at ensuring the proportionality of the processing so that the rights and freedoms of Users are not prejudiced, taking into account their reasonable expectations in relation to the specific processing activity.

Users may request further information on the above assessment by sending an e-mail to the following address: privacy@extrapola.com.

The Controller also informs the User that they may (i) withdraw at any time any consent given, without prejudice to the lawfulness of processing based on consent before its withdrawal; (ii) object at any time to the processing of their personal data on the basis of the Controller’s legitimate interests.

In particular, if the User in the future wishes to stop receiving communications for informational and educational purposes and/or for marketing purposes from the Controller, it will be sufficient to select the “Unsubscribe” option at the bottom of the e-mail communications to unsubscribe from the mailing list.

If the Controller intends to use the personal data collected for any other purpose incompatible with the above Purposes for which they were originally collected or authorised, the Controller will inform the User in advance, possibly obtaining consent for the further processing of the data.

4) Nature of data provision

The provision of data implicitly supplied by the User occurs automatically when browsing the Website. Therefore, if the User does not intend to provide any personal browsing data, they are asked not to visit this Website, not otherwise use this Website, or not provide consent when such option is offered pursuant to the Privacy Law.

The provision of data directly supplied by the User in the context of communications with the Controller is optional. However, failure to provide such data may make it impossible to receive responses to communications sent by the User to the data controller.

The provision of data directly supplied by the User for receiving newsletters is necessary to complete the subscription to, and benefit from, the newsletter service or specific sector mailing list. In the event of refusal or failure to provide the requested data, it will not be possible to receive the Controller’s newsletters or specific sector communications.

The provision of data directly supplied by the User for receiving marketing communications is necessary to receive such communications. In the event of refusal or failure to provide the requested data, it will not be possible to receive marketing communications from the data controller.

5) Data processing methods

With regard to the stated Purposes, the processing of personal data may consist of the activities indicated in Article 4(1)(2) of the GDPR, namely: collection, recording, organisation, storage, consultation, processing, communication by transmission or any other form of making available, restriction, erasure and destruction of personal data.

Processing may be carried out by automated tools, with logic strictly related to the Purposes themselves and, in any case, in such a way as to ensure the security and confidentiality of the data, as well as compliance with the specific obligations established by the legislation in force and applicable from time to time.

6) Access to data and disclosure of data

The Users’ personal data will be processed by the Controller’s staff, specifically appointed as authorised persons for processing.

Even without the User’s express consent, the data controller may disclose the User’s data for the Purposes set out in Paragraph 3 above to supervisory and/or control bodies of the Controller, judicial authorities as well as all other parties to whom disclosure is mandatory by law for the performance of those Purposes, in their capacity as independent data controllers.

In addition, the Controller may entrust some processing operations of personal data carried out for the Purposes set out in Paragraph 3 above to categories of recipients, specifically appointed by the Controller itself, if necessary, as processors, including, by way of example and not limitation:

  1. the Website’s technical service providers;

  2. hosting providers offering Website hosting services.

The complete and updated list of processors and persons authorised to process data is kept at the Controller’s registered office and may be requested in the manner set out in the following Paragraph.

Users’ data will not be disclosed to the public or to unspecified parties.

7) Transfer of data outside the EU

Data management and storage will take place on servers of the Controller located within the European Union and/or of third-party companies engaged and duly appointed as processors.

Any transfer of Users’ data outside the European Union may occur only within the terms and with the safeguards provided for by the Privacy Law and, in particular, in accordance with Articles 44–49 of the GDPR.

8) Data retention period

Personal data for the Purposes referred to in Paragraph 3, letters a), b), and c) will be retained and processed for the entire duration of browsing and, after browsing ends for any reason, for a period not exceeding 24 months.

Personal data collected for the Purposes referred to in Paragraph 3, letter d) will be retained only for the time strictly necessary to achieve the Purposes for which they were collected and, in any case, for no longer than 10 years from their collection.

Personal data collected for the Purpose referred to in Paragraph 3, letter e) will be retained only for the time strictly necessary to achieve the Purpose and in any case for no longer than 24 months from their collection.

At the end of the retention periods, personal data will be deleted, unless there are further legitimate interests of the Controller and/or legal obligations that make their retention necessary, subject to minimisation.

9) Users’ rights

The User, as a data subject, shall always have the right to withdraw any consent given and may also exercise the following rights at any time:

  1. the “right of access”, namely to obtain confirmation as to whether or not personal data concerning them exist and to receive them in intelligible form;

  2. the “right to rectification”, namely the right to request the rectification or, where they are interested, the completion of personal data;

  3. the “right to erasure”, namely the right to request the deletion or anonymisation of data processed unlawfully, including those that do not need to be retained in relation to the Purposes for which the personal data were collected or subsequently processed;

  4. the “right to restriction of processing”, namely the right to obtain from the Controller the restriction of processing in certain cases provided for by the Privacy Law;

  5. the right to request from the Controller the indication of the recipients to whom it has notified any rectifications, deletions or restrictions of processing (carried out pursuant to Articles 16, 17 and 18 GDPR, in fulfilment of the notification obligation, except where this proves impossible or involves a disproportionate effort);

  6. the “right to data portability”, namely the right to receive (or transmit directly to another controller) personal data in a structured, commonly used and machine-readable format;

  7. the “right to object”, namely the right to object, in whole or in part:

    • to the processing of personal data carried out by the Controller for its own legitimate interest;
    • to the processing of personal data carried out by the Controller for marketing or profiling purposes.

In the above cases, where necessary, the Controller will inform the recipients to whom the User’s personal data have been disclosed of any exercise of rights, except in specific cases where this is not possible or would involve a disproportionate effort and, in any case, as provided by the Privacy Law.

Where processing is based on consent, the User shall also have the right to withdraw any consent given at any time, without prejudice to the lawfulness of processing based on consent before withdrawal.

10) How to exercise rights and complaint to the Data Protection Authority

The User may exercise their Rights at any time in the following ways:

  1. by e-mail, to: privacy@extrapola.com;

  2. by ordinary post, to the registered office of EXTRAPOLA S.R.L., VIA TORCONCA 17/G-19, 47842 SAN GIOVANNI IN MARIGNANO, VAT no. 02681950404 – tax code 02681950404.

The Controller informs the User that, under the Privacy Law, they have the right to lodge a complaint with the competent supervisory authority (in particular in the Member State of their habitual residence, place of work or place of the alleged infringement) if they believe that their Personal Data are processed in a way that constitutes a violation of the GDPR.

To facilitate the exercise of the right to lodge a complaint, the name and contact details of the European Union supervisory authorities are available at the following link: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.

Finally, if the User wishes to lodge a complaint with the supervisory authority competent for the Italian territory (i.e. the Italian Data Protection Authority), the complaint form is available at the following link: https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/4535524.

Updated October 2023